Spam emails—everyone receives them, no one particularly likes them. Some of us delete them. Some of us simply ignore them. But, are they such a problem that requires all Canadian businesses, big or small, to overhaul how they communicate with their customers and potential customers?—You be the judge.
In December 2010, the Canadian government enacted An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act. Quite a mouthful (try saying it out loud…). It is more commonly referred to as the “Anti-Spam Legislation”, although I would argue that name is misleading. That is because the Act targets all electronic communications that are unsolicited. That is why I rather refer to it as the “Anti-Solicited Communications Act”.
The Act has not yet come into force. Although there is no set date, it is anticipated to come into force sometime in 2014. It is therefore important that all Canadian businesses become familiar with the Act and begin preparing for it now.
Commercial electronic messages
The Act prohibits anyone from sending a “Commercial Electronic Message” (“CEM”), unless the receiver of the CMN had given his or her consent to receiving it. The CEM is any form of electronic message (including email, text and voicemessage) sent for the purpose of encouraging participation in a commercial activity.
Unlike in the U.S. and other countries, where anti-spam legislation creates an “Opt out” requirement, the Canadian Act creates an “Opt in” requirement. This means that you cannot send a CEM, unless the person to whom the CEM is sent had previously given his or her consent to receiving CEMs from you. But here is the catch—sending an email requesting someone’s consent to receive CEMs is considered a CEM, and is therefore prohibited!
In addition to seeking consent, the sender must also include very specific identifying information in each and every CEM, including: the sender’s name and business name, mailing address and telephone numbers, email or web address. The CEM must also include an “unsubscribe” mechanism—allowing the receivers of the CEM to indicate that they do not wish to receive any further CEMs from the sender.
The Act provides limited circumstances when consent can be implied. Consent is implied when the sender and receiver have an “existing business relationship”, which is narrowly construed. For example, in the case of a business to customer CEM, consent is implied when that customer had purchased a product or service from the business in the 2 years preceding the sending of the CEM. So, for example, if a customer buys a product from your business, your business cannot continue to send CEMs to that customer 2 years after the sale, unless it has received express consent to do so.
There are limited exceptions to the requirement to obtain consent. Those include messages sent to someone with whom the sender has an existing personal or family relationship and messages sent from a computer outside of Canada. The latter exception may be jurisdictionally justified (i.e., the Canadian Act cannot regulate someone outside of Canada), but it means that the problem the Act is meant to address (i.e., annoying spam) is likely not to be resolved, as a significant portion of spam originates outside of Canada.
Liability for violations of the Act – be afraid… be very afraid
The liability imposed for sending a CEM without consent is significant. An individual who violates the Act’s prohibition against CEMs can face a fine of up to $1,000,000 and a corporation can face up to $10,000,000, for each CEM sent. There are also potential fines for directors and officers of a corporation that violates the Act.
In addition, the Act allows a person who receives a CEM in breach of the Act to bring a civil action against the sender, creating the possibility for a whole new slew of class actions.
Compliance with the Act
So what is a Canadian business to do if it wishes to send out CEMs to its customers or potential customers? It should send out consent requests before the Act comes into force (now!), or, at the latest, during the 3 year transition period after the Act comes into force.
It should also put into place policies and procedures for complying with the Act and educate its employees and management on those policies. Those policies and procedures would defer from company to company, depending on the line of business they are in, their marketing strategies and the form in which they communicate with customers and potential customers. I recommend that you consult with a lawyer specializing in the area when preparing those compliance policies.
The most full-proof way of avoiding violating the Act is by reverting back to sending correspondence and marketing materials through that antiquated system we call regular mail (what?!). If anything, this Act is bound to boost Canada Post’s revenues significantly.
That being said, if I had to choose between receiving email spam or mail spam (i.e, those flyers that regularly fill my recycling bin), I choose the former. At least no trees were harmed in their making. But, that’s just me.
To be continued…
The Act does not only prohibit spam. It also regulates other computer related activities, such as hacking, the installation of viruses and malware, and the violation of online privacy. Stay tuned next month, when I discuss how those provisions may affect your business.
Maanit Zemel
Partner
Miller Thomson LLP
- Swinging the privacy rights pendulum – The recent proposed amendments to Canada’s privacy law regime - November 28, 2023
- Breaking the “glassdoor” – Dealing with online reviews by employees - August 29, 2023
- The unreliability factor of using AI in the workplace - June 27, 2023